Go to the documentation of this file.
54 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
60 static void DetectIsdataatRegisterTests(
void);
61 static void DetectAbsentRegisterTests(
void);
85 }
else if (strcmp(optstr,
"or_else") == 0) {
88 SCLogError(
"unhandled value for absent keyword: %s", optstr);
92 SCLogError(
"unspected buffer for absent keyword");
97 SCLogError(
"absent does not work with frames");
101 SCLogError(
"absent must come first right after buffer");
112 DetectAbsentFree(
de_ctx, dad);
120 bool has_other =
false;
121 bool only_absent =
false;
122 bool has_absent =
false;
135 SCLogError(
"signature can't have absent and fast_pattern on the same buffer");
142 if (only_absent && has_other) {
143 SCLogError(
"signature can't have a buffer tested absent and tested with other keywords "
146 }
else if (has_absent && !only_absent && !has_other) {
148 "signature with absent: or_else expects other keywords to test on such as content");
200 char *args[3] = {NULL,NULL,NULL};
205 pcre2_match_data *match = NULL;
207 if (ret < 1 || ret > 4) {
208 SCLogError(
"pcre_exec parse error, ret %" PRId32
", string %s", ret, isdataatstr);
214 res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
216 SCLogError(
"pcre2_substring_get_bynumber failed");
219 args[0] = (
char *)str_ptr;
223 res = pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
225 SCLogError(
"pcre2_substring_get_bynumber failed");
228 args[1] = (
char *)str_ptr;
231 res = pcre2_substring_get_bynumber(match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
233 SCLogError(
"pcre2_substring_get_bynumber failed");
236 args[2] = (
char *)str_ptr;
246 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
249 "var name for offset. \"offset\" argument supplied to "
250 "this function has to be non-NULL");
258 strlen(args[0]), args[0]) < 0 ) {
266 if (args[1] !=NULL) {
273 if (isdataatstr[0] ==
'!') {
277 for (i = 0; i < (ret -1); i++) {
279 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
282 pcre2_match_data_free(match);
289 pcre2_match_data_free(match);
291 for (i = 0; i < (ret -1) && i < 3; i++){
293 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
319 idad = DetectIsdataatParse(
de_ctx, isdataatstr, &
offset);
352 "seen in isdataat - %s\n",
385 if (prev_pm == NULL) {
428 "preceding content option");
443 static int g_dce_stub_data_buffer_id = 0;
449 static int DetectIsdataatTestParse01 (
void)
453 idad = DetectIsdataatParse(NULL,
"30 ", NULL);
466 static int DetectIsdataatTestParse02 (
void)
470 idad = DetectIsdataatParse(NULL,
"30 , relative", NULL);
483 static int DetectIsdataatTestParse03 (
void)
487 idad = DetectIsdataatParse(NULL,
"30,relative, rawbytes ", NULL);
499 static int DetectIsdataatTestParse04(
void)
525 static int DetectIsdataatTestParse06(
void)
532 "(msg:\"Testing bytejump_body\"; "
534 "isdataat:!4,relative; sid:1;)");
548 "(msg:\"Testing bytejump_body\"; "
550 "isdataat: !4,relative; sid:2;)");
570 static int DetectIsdataatTestPacket01 (
void)
573 uint8_t *buf = (uint8_t *)
"Hi all!";
574 uint16_t buflen = strlen((
char *)buf);
580 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
584 sigs[0]=
"alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
585 sigs[1]=
"alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
586 sigs[2]=
"alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
587 sigs[3]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
588 sigs[4]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
590 uint32_t sid[5] = {1, 2, 3, 4, 5};
592 uint32_t results[3][5] = {
600 result =
UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 5);
612 static int DetectIsdataatTestPacket02 (
void)
615 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
616 "User-Agent: Wget/1.11.4"
618 "Host: www.google.com"
619 "Connection: Keep-Alive"
620 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
621 uint16_t buflen = strlen((
char *)buf);
628 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with"
629 " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
630 "DullBoy/\"; isdataat:96,relative; sid:1;)";
644 static int DetectIsdataatTestPacket03 (
void)
647 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
648 "User-Agent: Wget/1.11.4"
650 "Host: www.google.com"
651 "Connection: Keep-Alive"
652 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
653 uint16_t buflen = strlen((
char *)buf);
660 char sig[] =
"alert tcp any any -> any any (msg:\"byte_jump match = 0 "
661 "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
662 "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
674 void DetectIsdataatRegisterTests(
void)
678 UtRegisterTest(
"DetectIsdataatTestParse01", DetectIsdataatTestParse01);
679 UtRegisterTest(
"DetectIsdataatTestParse02", DetectIsdataatTestParse02);
680 UtRegisterTest(
"DetectIsdataatTestParse03", DetectIsdataatTestParse03);
681 UtRegisterTest(
"DetectIsdataatTestParse04", DetectIsdataatTestParse04);
682 UtRegisterTest(
"DetectIsdataatTestParse06", DetectIsdataatTestParse06);
684 UtRegisterTest(
"DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
685 UtRegisterTest(
"DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
686 UtRegisterTest(
"DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);
689 static int DetectAbsentTestParse01(
void)
696 "alert http any any -> any any "
697 "(msg:\"invalid absent only with negated content\"; http.user_agent; "
698 "absent; content:!\"one\"; sid:2;)");
701 "(msg:\"invalid absent\"; http.user_agent; "
702 "content:!\"one\"; absent; sid:2;)");
705 "(msg:\"invalid absent\"; http.user_agent; "
706 "content:\"one\"; absent: or_else; sid:2;)");
709 "(msg:\"absent without sticky buffer\"; "
710 "content:!\"one\"; absent: or_else; sid:2;)");
713 "alert websocket any any -> any any "
714 "(msg:\"absent with frame\"; "
715 "frame: websocket.pdu; absent: or_else; content:!\"one\"; sid:2;)");
721 void DetectAbsentRegisterTests(
void)
723 UtRegisterTest(
"DetectAbsentTestParse01", DetectAbsentTestParse01);
#define DETECT_CONTENT_RELATIVE_NEXT
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
int DetectIsdataatSetup(DetectEngineCtx *, Signature *, const char *)
This function is used to add the parsed isdataatdata into the current signature.
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
#define ISDATAAT_OFFSET_VAR
void SigFree(DetectEngineCtx *, Signature *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int UTHPacketMatchSig(Packet *p, const char *sig)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define PARSE_REGEX
Regex for parsing our isdataat options.
uint8_t DetectByteIndexType
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_ENDS_WITH
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define ISDATAAT_RELATIVE
const DetectBufferType * DetectEngineBufferTypeGetById(const DetectEngineCtx *de_ctx, const int id)
SignatureInitData * init_data
#define ISDATAAT_RAWBYTES
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
bool DetectAbsentValidateContentCallback(Signature *s, const SignatureInitDataBuffer *b)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
SignatureInitDataBuffer * curbuf
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
#define SIGMATCH_OPTIONAL_OPT
#define SCLogError(...)
Macro used to log ERROR messages.
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
#define DETECT_PCRE_RELATIVE_NEXT
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Signature * SigAlloc(void)
#define DETECT_CONTENT_FAST_PATTERN
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
void DetectIsdataatFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIsdataatData
void(* RegisterTests)(void)
void DetectIsdataatRegister(void)
Registration function for isdataat: keyword.
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.